<thead id="prjbr"></thead>
<big id="prjbr"></big>

<noframes id="prjbr"><del id="prjbr"><em id="prjbr"></em></del>
<font id="prjbr"><del id="prjbr"></del></font>

    <dfn id="prjbr"></dfn>
    <thead id="prjbr"><del id="prjbr"><rp id="prjbr"></rp></del></thead>
      <sub id="prjbr"></sub>
      <noframes id="prjbr">
      <address id="prjbr"></address>

          Home Cyber Attack Shadow Attacks Allow Meddling With Content In Digitally Signed PDFs

          Shadow Attacks Allow Meddling With Content In Digitally Signed PDFs

          by Abeerah Hashim
          shadow attacks on signed PDFs

          Digitally signed PDF documents are considered as valid as docs with manual signatures. However, a recently discovered attack threatens the legitimacy of this technique. Researchers have found Shadow attacks that allow modifying the content within digitally signed PDFs.

          Shadow Attacks Threaten Signed PDFs

          Researchers from the Ruhr University Bochum, Germany, have devised a new strategy that allows meddling with PDFs. Dubbed Shadow attacks, the researchers have come up with multiple attack techniques that allow changing the content of digitally signed PDFs.

          Specifically, these attacks exploit the legitimate features that keep the target documents compliant with the standards. Thus, shadow attacks bypass all existing strategies that detect any malicious editing attempts on PDFs.

          In brief, these attacks work on the idea of how people use PDF documents and digital signatures today.

          In a real-world scenario, somebody prepares a document with some content that the two parties subsequently review before signing. Likewise, Shadow attacks let an adversary create a malicious document that hides the attackers’ intended content behind the legit one.

          When the first party reviews the document, the content appears fine. Hence, the signer signs it. After that, the attacker would meddle with the content, thus the second party would see different content.

          As the researchers explained,

          The attackers prepare a shadow document. In the analog world, this is the step in which the attackers could explicitly leave empty spaces. The Signers of the PDF receive the document, review it, and sign it. The attackers use the signed document, modify it, and send it to the victims. In the analog world, the attackers can print their content on the prepared empty spaces. After opening the signed PDF, the victims’ PDF viewer successfully verifies the digital signature. However, the victims see different content than the Signers.

          The adversary can proceed with these attacks from three different approaches; hide, replace, and hide-and-replace.

          Source: Rohlmann et al.

          These attacks require no loading of content from external sources or running scripts. Nor do they invalidate digital signatures or trigger warnings. Hence, detecting these attacks remains difficult.

          What Next?

          Previously, similar attacks targeting signed PDFs surfaced online in 2019 by Mladenov et al. However, following that research, almost all PDF viewers implemented strategies mitigating such attacks.

          However, all of the existing security measures appeared useless in case of Shadow attacks.

          The researchers tested 29 different PDF viewers during their study. From these, they found 16 of them fully vulnerable to Shadow attacks, including Foxit Reader and Adobe Acrobat. Whereas, the other

          They have also introduced PDF-Attacker, a tool that automatically exploits these attacks. Yet, they have rolled out PDF-Detector as well that detects Shadow attacks.

          Before public disclosure, the researchers coordinated with the respective vendors via CERT-Bund. In turn, 15 of these implemented quick fixes and now remain safe from Shadow attacks. These include the popular tools Adobe, Foxit, LibreOffice, Power PDF, and Soda PDF.

          However, the researchers doubt that 11 other tools; Master PDF in Windows and Linux, Nitro Pro, PDFXChange Editor, Perfect PDF Reader, Expert PDF 14, Nitro Reader, PDF Editor 6 Pro, Perfect PDF 8 Reader, and Perfect PDF 10 Premium, may remain vulnerable.

          Technical details of shadow attacks are available in the researchers’ research paper that they have presented recently at the Network and Distributed System Security Symposium (NDSS) 2021.

          You may also like

          Leave a Comment

          Latest Hacking News

          Privacy Preference Center


          The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

          cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

          For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

          __cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


          DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

          DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

          DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

          DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

          DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

          DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



          The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

          The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

          _gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

          _ga, _gat, _gid